From owner-freebsd-ports@freebsd.org Wed Mar 31 14:45:26 2021 Return-Path: Delivered-To: freebsd-ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 49B3457AB48 for ; Wed, 31 Mar 2021 14:45:26 +0000 (UTC) (envelope-from felix@palmen-it.de) Received: from stef.palmen-it.de (stef.palmen-it.de [84.38.67.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F9Td14GBhz3hf3 for ; Wed, 31 Mar 2021 14:45:25 +0000 (UTC) (envelope-from felix@palmen-it.de) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=palmen-it.de; s=20200414; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=amlmxc/qwHaeRF4di2IFLU2T2hj7iL2TBeNkJOo6zHE=; b=z3ln8iWSNq+4rMQBR/7mHz+ED Xms/w5ucAvKI6o9nLAK5aR/oqWvw8Ou6jVdk1BXx9c25e199DbDTq0BKM/632SuaH7hZV8NlcksoD GALVswe+rKNt7jMAk7FydsWl4K+2QmxAYZHRONKHKkHIp8zU51ar0vbRFdkZjz5gZ7a+kZ+yBwFKS WnovbMA7Gor1fBrPzCDvSFa/W8sx0TUXzNzVVJSJEVeIxpkkUaOEnbGmd92q/y+MSO7UbafbUOMcS d99cnsDv3LuZEs62UcZsHJ0c2ieasa1CY4fEQdziFgVpe0/PFP38SUMOb1ApbpKj5dZ03P/NuxY2U yG2aWLeZw==; Received: from [192.168.71.101] (helo=mail.home.palmen-it.de) by stef.palmen-it.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lRc5x-0004W5-Df for freebsd-ports@freebsd.org; Wed, 31 Mar 2021 16:45:21 +0200 Received: from nexus.home.palmen-it.de ([192.168.99.2]) by mail.home.palmen-it.de with esmtpsa (TLS1.3) tls TLS_CHACHA20_POLY1305_SHA256 (Exim 4.94 (FreeBSD)) (envelope-from ) id 1lRc5w-000MjK-A1 for freebsd-ports@freebsd.org; Wed, 31 Mar 2021 14:45:20 +0000 Date: Wed, 31 Mar 2021 16:45:17 +0200 From: Felix Palmen To: freebsd-ports@freebsd.org Subject: Re: Lessons from the PHP git repo "hack" Message-ID: <20210331144517.oin3sa6i57mv6mjw@nexus.home.palmen-it.de> Mail-Followup-To: freebsd-ports@freebsd.org X-Face: /1K@t"h.}e~pR@]c7HorQ!T`F^RJCa'BCr#e>IKA{>C/9OTGB4|xh"y2{?1Z5M i2w"AH^pN_LlHR^{+f',_Np~; .B; !M/bL}*qk]p5*r7F5vW}; {:@4u5S?T&f0$7BJ-71Q5SV]:v$`5 A0[DZ:=?S52x8HJ~5@^P_\T@MsjG{R( Organization: palmen-it.de References: <6314D726-F55D-4374-AB63-B17B7B3E4D14@kreme.com> <20210331135819.rzy3weyxunobnne6@nexus.home.palmen-it.de> <1035BFA8-667D-45CD-9066-848351F648EF@kreme.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fjotaaovafombw6k" Content-Disposition: inline In-Reply-To: <1035BFA8-667D-45CD-9066-848351F648EF@kreme.com> User-Agent: NeoMutt/20210205 X-Rspamd-Queue-Id: 4F9Td14GBhz3hf3 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=palmen-it.de header.s=20200414 header.b=z3ln8iWS; dmarc=pass (policy=none) header.from=palmen-it.de; spf=pass (mx1.freebsd.org: domain of felix@palmen-it.de designates 84.38.67.7 as permitted sender) smtp.mailfrom=felix@palmen-it.de X-Spamd-Result: default: False [-6.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:84.38.67.7:c]; TO_DN_NONE(0.00)[]; HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[palmen-it.de:+]; DMARC_POLICY_ALLOW(-0.50)[palmen-it.de,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[84.38.67.7:from]; ASN(0.00)[asn:204119, ipnet:84.38.64.0/20, country:DE]; DWL_DNSWL_NONE(0.00)[palmen-it.de:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[palmen-it.de:s=20200414]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[84.38.67.7:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[84.38.67.7:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-ports] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2021 14:45:26 -0000 --fjotaaovafombw6k Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * @lbutlr [20210331 08:03]: > On 31 Mar 2021, at 07:58, Felix Palmen wrote: > > I'd say the lesson is keep your systems updated and pay attention to > > keep your credentials safe/secret. I don't see how Github would > > prevent such an incident any better. >=20 > That is making an assumption that the people running the php git > server were incompetent, Also note this isn't assumed at all. "Incompetence", that could mean several things, e.g.: * A committer somehow "leaking" their credentials * A configuration error on the server Then, it could be the case the server just wasn't maintained well enough, which is typically more an issue of time / man power than of incompetence. The move to Github somehow suggests that the people in charge might suspect something like this. And finally, they could also be the victim of some 0day. But then, moving to Github would hardly reduce the risk. So, is there any other scenario you have in mind? --=20 Dipl.-Inform. Felix Palmen ,.//.......... {web} http://palmen-it.de {jabber} [see email] ,//palmen-it.de {pgp public key} http://palmen-it.de/pub.txt // """"""""""" {pgp fingerprint} A891 3D55 5F2E 3A74 3965 B997 3EF2 8B0A BC02 DA2A --fjotaaovafombw6k Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEqJE9VV8uOnQ5ZbmXPvKLCrwC2ioFAmBkiv0ACgkQPvKLCrwC 2iqAzAf9EEFHf6+Mx+2xksiKNdy+0gpN3/79lP7p+iSljvq7TJneIh9gI7jHthSN /aBP67ZBviml4mX51IgyqEPUYdpFz53Ybtq1wF0O/AnrAj8zHA73YuHKwS6MJaWa WiJNMD5mHDzZS/xr62C7M0UOs3i2jFV15orW8xTHoKQ+2lo628Q0SaDmyF8/sWOH aWjO082itqoOQB4KCYvHzF5vBOPVjBGltTDWF1BD0iNngWJMVACQ91iQc2SQakm4 JmdzMpH1PlF0JUxlSDwI+wX+fbfVnbyNzYw9/7550xwiaq4yCDAp2oTN6CAkPcWT ZkpR94Mlel8uxLisN+3846va7LBvLQ== =u0y1 -----END PGP SIGNATURE----- --fjotaaovafombw6k--